As we kick off the new year, we’re excited to introduce the latest updates to Calico, designed to create a single, unified platform for all your Kubernetes networking, security, and observability needs. These new features help organizations reduce tool sprawl, streamline operations, and lower costs, making it more convenient and efficient to manage Kubernetes environments.
In this blog, we’ll highlight some of the most exciting additions that include a major new product capability, an ingress gateway.
Managing and securing traffic in Kubernetes environments is one of the most complex and critical challenges organizations face today. With more than 60% of enterprises having adopted Kubernetes, according to an annual CNCF survey, controlling and optimizing how external traffic enters clusters is more important than ever. As applications grow in scale and complexity, legacy ingress solutions often fall short, plagued by operational inefficiencies, reliance on proprietary APIs, limited scalability, and difficulty in customization. These limitations make it difficult for teams to maintain consistent performance and robust security across their environments.
To address these challenges, we’re excited to introduce the Calico Ingress Gateway, an enterprise hardened, 100% upstream distribution of Envoy Gateway that leverages and expands the Continue reading
Audit logs are a critical tool for tracking and recording changes, actions, and resource access patterns within your Cloudflare environment. They provide visibility into who performed an action, what the action was, when it occurred, where it happened, and how it was executed. This enables security teams to identify vulnerabilities, ensure regulatory compliance, and assist in troubleshooting operational issues. Audit logs provide critical transparency and accountability. That's why we're making them "automatic" — eliminating the need for individual Cloudflare product teams to manually send events. Instead, audit logs are generated automatically in a standardized format when an action is performed, providing complete visibility and ensuring comprehensive coverage across all our products.
We're excited to announce the beta release of Automatic Audit Logs — a system that unifies audit logging across Cloudflare products. This new system is designed to give you a complete and consistent view of your environment’s activity. Here’s how we’ve enhanced our audit logging capabilities:
Standardized logging: Previously, audit logs generation was dependent on separate internal teams, which could lead to gaps and inconsistencies. Now, audit logs are automatically produced in a seamless and standardized way, eliminating Continue reading
Vini Motta decided to use AI on ipSpace.net content to find what it would recommend as the projects to work on in order to become employable in 2025. Here are the results he sent me; my comments are inline on a gray background.
In the previous blog post, I described the usual mechanisms used to connect virtual machines or containers in a virtual lab, and the drawbacks of using Linux bridges to connect virtual network devices.
In this blog post, we’ll see how KVM/QEMU/libvirt/Vagrant use UDP tunnels to connect virtual machines, and how containerlab creates point-to-point vEth links between Linux containers.
Now that 2025 has been here for a few weeks and 2024 has closed with a variety of year-end traditions — from Christmas and Hanukkah celebrations to New Year’s Eve (NYE) countdowns, as well as celebrations of Orthodox Christmas, and Lunar/Chinese New Year — let’s examine how these events have shaped online behavior across continents and cultures. Reflecting on Christmas and NYE 2024 provides insights into how these trends compared with those of the previous year, as detailed in an earlier blog.
One notable finding is the remarkable consistency in human online patterns from one year to the next, a trend that persists despite cultural differences among countries. Data from over 50 countries reveal how people celebrated in 2024–2025, offering a timely reminder of typical holiday trends. While Christmas remains a dominant influence in many regions, other cultural and religious events — such as Hanukkah and local festivities — also shape online habits where Western traditions hold less sway.
In regions where Christmas is deeply rooted, Internet traffic dips significantly during Christmas Eve dinners, midnight masses, morning gift exchanges, and Christmas Day lunches, a pattern evident in both our previous and current analyses.
This analysis focuses exclusively on non-bot Internet Continue reading
Despite many advantages of Segment Routing, some networks still prefer to use RSVP for traffic engineering – and they can have good reasons for this. Is there any value of SDN controller with RSVP-TE, compared to configuring policies on each …
It all started with a netlab issue describing different interpretations of VLAN 1 in a trunk. While Cumulus NVUE (the way the netlab configuration template configures it) assumes that the VLAN 1 in a trunk is tagged, Arista EOS assumes it’s the native VLAN.
At that point, I should have said, “that’s crazy, we shouldn’t allow that” and enforce the “VLAN 1 has to be used as a native VLAN” rule. Alas, 20/20 hindsight never helped anyone.
TL&DR: Do not use VLAN 1 in VLAN trunks; if you have to, use it as a native VLAN.
Have you ever wondered how to navigate the complexities of managing Kubernetes clusters effectively? Observability is the key, and Elasticsearch plays a pivotal role in storing and analyzing the critical data that keeps your systems running smoothly.
In this blog post, we will delve into the essential aspects of observability within Kubernetes clusters powered by Calico eBPF data plane, highlighting the significance of Elasticsearch in this ecosystem. We’ll explore how Calico leverages Elasticsearch to enhance both observability and security, providing a comprehensive guide to common issues, best practices, and troubleshooting tips. You will understand the value of observability on a Kubernetes cluster and how to keep Elasticsearch healthy by storing and making observability data available. By the end, you’ll be equipped with the knowledge to maintain a robust and efficient Elasticsearch setup, ensuring optimal performance and security for your Kubernetes cluster powered by Calico eBPF data plane.
We will discuss what Elasticsearch is, why it matters, and how Calico Enterprise utilizes it to provide unparalleled observability. Whether you’re dealing with common issues or looking to implement best practices, this guide will serve as your reference guide to maintain a healthy Elasticsearch setup.
Cloudflare was recently contacted by a group of anonymous security researchers who discovered a broadcast amplification vulnerability through their QUIC Internet measurement research. Our team collaborated with these researchers through our Public Bug Bounty program, and worked to fully patch a dangerous vulnerability that affected our infrastructure.
Since being notified about the vulnerability, we've implemented a mitigation to help secure our infrastructure. According to our analysis, we have fully patched this vulnerability and the amplification vector no longer exists.
QUIC is an Internet transport protocol that is encrypted by default. It offers equivalent features to TCP (Transmission Control Protocol) and TLS (Transport Layer Security), while using a shorter handshake sequence that helps reduce connection establishment times. QUIC runs over UDP (User Datagram Protocol).
The researchers found that a single client QUIC Initial packet targeting a broadcast IP destination address could trigger a large response of initial packets. This manifested as both a server CPU amplification attack and a reflection amplification attack.
When using TCP and TLS there are two handshake interactions. First, is the TCP 3-way transport handshake. A client sends a SYN packet to a server, it responds with Continue reading
The post BGP Routing Information Base (RIB) Deep Dive appeared first on Noction.
We know that in Palo Alto, or in any NGFW, we can allow or block various URL categories. Speaking specifically about the Palo Alto firewall, let's say you have a strict URL filtering policy and decide to block the 'Shareware and Freeware' category.
When you do this, you'll likely have frustrated users complaining that they can't access sites like GitHub, for example.
So, what did I do now to cause another network issue? Well, Palo Alto categorizes github.com
as 'Shareware and Freeware', so the firewall simply blocks it. There’s a high chance that many other useful sites will get blocked too.
A quick fix is to create a Custom URL Category and add the GitHub URL to it. However, this isn’t a scalable solution.
For instance, if I start with *.github.com
, the firewall may block github.com
. Then, if I add github.com
, the firewall might block URLs like www.github.githubassets.com
. To address this, I’d need to use a different wildcard, but we can’t keep doing this for every affected site.
Instead of managing each URL individually like before, we Continue reading
The initial IS-IS labs covered the IS-IS basics. It’s time to move on to interesting IS-IS features (and why you might want to use them), starting with passive IS-IS interfaces.